krb5-1.12 is released

Russ Allbery eagle at eyrie.org
Thu Jan 9 12:04:19 EST 2014


Simo Sorce <simo at redhat.com> writes:
> On Thu, 2014-01-09 at 08:35 -0800, Russ Allbery wrote:

>> Debian distinguishes between interactive and noninteractive sessions,
>> yes.  But I don't believe that resetting the session keyring for an
>> interactive sudo is appropriate, and the author of the pam_keyinit man
>> page seems to agree with me.

> Ok, this is getting a little bit off-topic so fell free to ignore or
> respond privately. But how does an interactive su/sudo session differ
> from a ssh session to localhost ?
> In the second case you do create a new session.

Because frequently the whole point of a su or sudo session is to run
commands as a different user with your current credentials.  Think AFS
tokens, for instance (which use the keyring).

The excerpt from the pam_keyinit man page is:

    This module should not, generally, be invoked by programs like su,
    since it is usually desirable for the key set to percolate through to
    the alternate context. The keys have their own permissions system to
    manage this.

I've had similar requests for pam_afs_session and pam_krb5 in the past to
honor the existing Kerberos ticket cache when changing users.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list